The Mac Flashback trojan has reportedly infected more than half a million Macs …

Share this story

Variations of the Flashback trojan have reportedly infected more than half a million Macs around the globe, according to Russian antivirus company Dr. Web. The company made an announcement on Wednesday—first in Russian and later in English—about the growing Mac botnet, first claiming 550,000 infected Macs. Later in the day, however, Dr. Web malware analyst Sorokin Ivan posted to Twitter that the count had gone up to 600,000, with 274 bots even checking in from Cupertino, CA, where Apple's headquarters are located.

We have been covering the Mac Flashback trojan since 2011, but the most recent variant from earlier this week targeted an unpatched Java vulnerability within Mac OS X. That is, it was unpatched (at the time) by Apple—Oracle had released a fix for the vulnerability in February of this year, but Apple didn't send out a fix until earlier this week, after news began to spread about the latest Flashback variant.

According to Dr. Web, the 57 percent of the infected Macs are located in the US and 20 percent are in Canada. Like older versions of the malware, the latest Flashback variant searches an infected Mac for a number of antivirus applications before generating a list of botnet control servers and beginning the process of checking in with them. Now that the fix for the Java vulnerability is out, however, there's no excuse not to update—the malware installs itself after you visit a compromised or malicious webpage, so if you're on the Internet, you're potentially at risk.

Share this story

Jacqui Cheng
Jacqui is an Editor at Large at Ars Technica, where she has spent the last eight years writing about Apple culture, gadgets, social networking, privacy, and more. Emailjacqui@arstechnica.com//Twitter@eJacqui

to be fair, the trojan exploited a java vulnerability. Does apple only distribute their own java or do they also develop it?

Through Java 6, Apple distributed. With Java 7, it's up to Oracle to supply Java. This hand off happened two years ago.

With 10.7 Lion, even Apple distribution of Java is not pre-installed.

My one Mac is spared because of this. The other one had the update installed as soon as I heard about this. I also ran the defaults.read lines from the link provided in this story. Luckily, I was not affected by this problem.

To chime in, my Mac started at 10.5 (now at 10.7), and I don't have Java installed at all. Not sure if I ever did, to be honest.

This is yet another example of Apple's reality distortion field creating users who don't worry about malware because it's Microsoft's problem....

Sigh - there we go again.... please, cut the BS. Up to just now, there were no Mac botnets. And now, there is, if this Russian security company turns out to be right.

Saying "there are no viruses on the Mac" was a true statement up to last week. Now it isn't anymore, times change. That's all.

Still true. Trojans aren't viruses no matter how many people believe the contrary.

Still incorrect. Viruses exist for the Mac and have for a very long time. No PC system is safe from them, or from worms, or from trojans, or from backdoors, or from rootkits or from any other malware you want to point out.

In fact, a quick google search shows iantivirus.com (an antimalware vendor) lists out current known threats, and has a list currently of approximately 20 or so actual viruses (not trojans or some other form of maleware) in the wild, all of which you can look into further on the internet to find the specifics of.

Tangential note: I find it funny that many people arguing semantics over virus/trojan appear to be lumping in worms and viruses into the same category by simply saying "viruses self-replicate"

to be fair, the trojan exploited a java vulnerability. Does apple only distribute their own java or do they also develop it?

Through Java 6, Apple distributed. With Java 7, it's up to Oracle to supply Java. This hand off happened two years ago.

With 10.7 Lion, even Apple distribution of Java is not pre-installed.

My one Mac is spared because of this. The other one had the update installed as soon as I heard about this. I also ran the defaults.read lines from the link provided in this story. Luckily, I was not affected by this problem.

To chime in, my Mac started at 10.5 (now at 10.7), and I don't have Java installed at all. Not sure if I ever did, to be honest.

Yeah - but this male ware has several different infection vectors - the Java drive by vulnerability (now patched, and OS X Lion never had Java installed by default anyway); but also: A fake Adobe Flash update. And a fake system update. Thank you Adobe for making your official upgrade also look like a piece of malware (it installs straight from the web browser, without downloading a DMG).

If you don't have Java you're safe from a silent install, but you could still fall for one of the others.

to be fair, the trojan exploited a java vulnerability. Does apple only distribute their own java or do they also develop it?

Through Java 6, Apple distributed. With Java 7, it's up to Oracle to supply Java. This hand off happened two years ago.

With 10.7 Lion, even Apple distribution of Java is not pre-installed.

My one Mac is spared because of this. The other one had the update installed as soon as I heard about this. I also ran the defaults.read lines from the link provided in this story. Luckily, I was not affected by this problem.

To chime in, my Mac started at 10.5 (now at 10.7), and I don't have Java installed at all. Not sure if I ever did, to be honest.

Yeah - but this male ware has several different infection vectors - the Java drive by vulnerability (now patched, and OS X Lion never had Java installed by default anyway); but also: A fake Adobe Flash update. And a fake system update. Thank you Adobe for making your official upgrade also look like a piece of malware (it installs straight from the web browser, without downloading a DMG).

If you don't have Java you're safe from a silent install, but you could still fall for one of the others.

What was it Jobs was trying to say to people about Flash a while back? Oh yeah, Flash might be bad, and we should not depend on it. I have a flash blocker to prevent flash from loading without permission, guessing now it was a good call. I had a bunch of ad blockers, and it was not too long before they moved to loading ads in flash. Its days were numbered with me only for this reason.

Any idea what, specifically, this trojan causes your computer to do? My ex-GF seemed to believe she was invincible on a Mac and has recently been spamming my email with ads (*suspicious*) from her email address.

Most likely this isn't her machine which has been compromised, but another machine which had her machine in its address book. And, yes, that "other machine" is 99% likely to be a Windows machine.

Yeah - but this male ware has several different infection vectors - the Java drive by vulnerability (now patched, and OS X Lion never had Java installed by default anyway); but also: A fake Adobe Flash update. And a fake system update. Thank you Adobe for making your official upgrade also look like a piece of malware (it installs straight from the web browser, without downloading a DMG).

If you don't have Java you're safe from a silent install, but you could still fall for one of the others.

I actually saw the fake Adobe Flash update a few days ago. It looked pretty similar to the one that pops up on the Windows computer I use for work. My thought process was: "Huh, my Flash probably is out of date. But, I've never had a Flash update pop up invasively like that on my Mac before. I'll just go to Adobe's website to update it that way."

I'm glad that Macs don't have that sort of update reminder, it would be more difficult to distinguish the genuine from the malware.

What was it Jobs was trying to say to people about Flash a while back? Oh yeah, Flash might be bad, and we should not depend on it. I have a flash blocker to prevent flash from loading without permission, guessing now it was a good call. I had a bunch of ad blockers, and it was not too long before they moved to loading ads in flash. Its days were numbered with me only for this reason.

Yeah, Apple's concerns about Flash were because of security and not, say, its ability to emulate app-store functionality on phones.

I dislike Flash (I run NoScript so it only runs with my permission), but I find I fairly hilarious that Apple is against apparently against browser plugins, yet are responsible for creating and maintaining Quicktime. A friend linked me to a trailer on the Apple website, that in 2012, required Quicktime (which I presume still requires a simultaneous installation of iTunes, Bonjour and all that system-sludge).

No it doesn't - iTunes for MSWin doesn't even depend on QT anymore, and QT never depended on anything else. And Bonjour is actually quite useful, where I worked last it was received with open arms because it made it so much easier to find and install printers.

Adobe Flash however ... as recent as yesterday evening I had to force-reboot because watching a streaming TV series in fullscreen upset something in the lowlevel graphics engine on my late 2011 i7 MBP 13" (fortunately I could still log in via ssh to do it properly). Not the 1st time that happened, either ... but off-topic here.

We all agree they aren't the same thing to those of us who know what we're talking about. Fine; there isn't a current, widespread virus that infects OS X. There hasn't been a Trojan horse either. If the information in this article is correct, there is now a Trojan horse infecting OS X.

This is a problem whatever you call it. Apple has promoted its products as less vulnerable to malware (whether it be virus, Trojan horse, what-have-you) than Windows. The technologically unsavvy have taken this to mean OS X is immune to malware ("viruses" in their parlance). We all know this was never the case. We all know the differences among the various types of malware. But what we know doesn't really matter, because there is a large number of tech-illiterate Apple users out there who don't think they need to worry about the kind of computer threats that even the most illiterate Windows user worries about. See the problem?

Actually, this is the second trojan of widespread acclaim in the past 6 months, so this is actually a growing problem. The MacDefender trojan used a different payload. Regardless, YES, malware of any sort is a problem, and it IS concerning that Apple seemed only to address the security threat after it became a story-- just like the Mac Defender situation. This is an area that the typically "silent" nature of Apple needs to change in. Heck, Microsoft trumpets across the internet "hey look, there's a hole here, fix coming on Tuesday!". As Apple becomes a bigger target for malware, it certainly should think about acting more like that.

I run OS X, and Windows 8, and xUbuntu. I like them all. I have zero dog in this race. This whole side conversation about trojans/viruses started because I tried to point out that this wasn't a virus. Then I got accused of being a fanboi for making the distinction. Then a bunch of people tried to say that a trojan was a kind of virus. No. Just...no.

EVERY OS should be secured as much as possible. But when discussing malware, it's important to note what we're talking about. You say "we all know the differences", but go through the thread. There are a lot of people that DON'T. Should Apple stop marketing macs as "more secure"? Well, maybe not yet, but if they keep up their habit of not addressing things until they become major tech-site news stories, then they're going to have to. I'd rate Windows with MSE about as secure as OS X, out of the box. The real problem is the users. It always will be, too.

I can't way for the day when we install computers in our brains, so you have to teach little Johnny not to download porn because it could actually destroy his motor functions.

Fair enough. I'm a stickler for technical accuracy as well. It just felt like we were getting bogged down in the definition conversation.

I think mainstream implanted computers will have to be far more secure than anything we have now. As you said, the basic tenet of computer security will always hold: almost all users are morons.

No it doesn't - iTunes for MSWin doesn't even depend on QT anymore, and QT never depended on anything else. And Bonjour is actually quite useful, where I worked last it was received with open arms because it made it so much easier to find and install printers.

Adobe Flash however ... as recent as yesterday evening I had to force-reboot because watching a streaming TV series in fullscreen upset something in the lowlevel graphics engine on my late 2011 i7 MBP 13" (fortunately I could still log in via ssh to do it properly). Not the 1st time that happened, either ... but off-topic here.

Flash is a dog on Apple machines, QuickTime is a dog on Windows machines. I can't think of any real use for it, as VLC and the QT Alternative codec both play the embedded MOV files if you can be bothered to scrape them.

You might be surprised how many people are using QuickTime on MSWin - and here I mean developers and the C API. I agree the player is a heavy handed beast but once you start tapping into the engine from your own code you'll realise just how powerful it is. Sadly it's rather orphaned, most all functions to be used under MSWin are deprecated on the Mac, and Apple's replacement frameworks for OS X do not (yet) implement a lot of what made QT such a workhorse.

Flash is a dog anyway, or should I say bitch? Who on earth would conceive of a 'feature' where ads during streaming broadcasts are paused when you switch to another window?!

I think mainstream implanted computers will have to be far more secure than anything we have now. As you said, the basic tenet of computer security will always hold: almost all users are morons.

I think that's a foolish assumption. Users are not morons typically; they merely have more important things to do with their lives that understand the ins and outs of securing their computer. They don't understand the ins and outs of securing their homes -- find me many people who truly understand how difficult or easy it is to defeat their home security system -- and, in their view, they shouldn't have to. That's why they paid someone else to do it right.

If we lived in a world where everyone had to be conversant in the technical details of every technology they used, we would never get anything done.

Calling users morons is the wrong attitude for we technologists; it tends to make us throw up our hands and stop trying to protect people who are apparently too dumb to do it themselves. What we need to do instead is remember that it's *unreasonable* to expect everyone to know these things, and then design and advise accordingly.

Very nice info graphic so it must be true - who would create a beautiful graphic ifit was not? And ifu can't trust a Russian website - who can you trust? Is the Syrian site down? This sounds like a pc designers wishful thinking he might get to design n a Mac someday. Has anyone outside of this guys lab found this virus on their machine? Anyone? Anyone?

Very nice info graphic so it must be true - who would create a beautiful graphic ifit was not? And ifu can't trust a Russian website - who can you trust? Is the Syrian site down? This sounds like a pc designers wishful thinking he might get to design n a Mac someday. Has anyone outside of this guys lab found this virus on their machine? Anyone? Anyone?

I presume F-Secure would count as “anyone”: http://www.f-secure.com/weblog/ Not on a quick read of this link, but somewhere else I believe I saw them confirm the 600K estimate, too.

First, who is this company/guy?Second, how did he get his information?Third, let’s look at the numbers before panicking: 600K Macs out of how many Macs? Someone on another blog posted that there have been over 50 Million Macs sold since 2006, making the 600K less than 1% of the total number of Macs.

This is NOT meant to underestimate the threat this poses to the Mac community. It should serve as a wake-up call to Mac users and to Apple. We users need to be proactive with regard to protecting our machines; Apple needs to be more responsive to the potential threats. That being said, it is worth noting that none of the recent trojans are able to access a ‘hole' through OS X, but find their way onto the machine through other software, MS Office (pre-2011) and Java.

The security industry has known for years Apple’s claims to attack immunity is a fairy tale. The fact that Mac sales have been increasing while those of PC manufactures have only been steady tells me this is the beginning of attacks against Mac devices. I’ve written a blog post with my take on Apple’s new pro-anti-virus stance – and why defensive tactics like AV won’t work – here: http://blog.coresecurity.com/2012/04/05 ... -to-hacks/

No it doesn't - iTunes for MSWin doesn't even depend on QT anymore, and QT never depended on anything else. And Bonjour is actually quite useful, where I worked last it was received with open arms because it made it so much easier to find and install printers.

Adobe Flash however ... as recent as yesterday evening I had to force-reboot because watching a streaming TV series in fullscreen upset something in the lowlevel graphics engine on my late 2011 i7 MBP 13" (fortunately I could still log in via ssh to do it properly). Not the 1st time that happened, either ... but off-topic here.

Last year my stats class required us to do all our homework on a web site using flash. I was so angry that whole semester, I hate flash on Mac is a passion. OTOH I think Silverlight runs rather well. So well in fact, I wonder what horrible thing will be discovered about it one day. I run it in a separate browser just for this reason.

I have to be honest, the two things MS seems to have done well. Silverlight, and Xbox Live. I guess it is true, every dog has their day. We can't say about tomorrow. ;P

No it doesn't - iTunes for MSWin doesn't even depend on QT anymore, and QT never depended on anything else. And Bonjour is actually quite useful, where I worked last it was received with open arms because it made it so much easier to find and install printers.

Adobe Flash however ... as recent as yesterday evening I had to force-reboot because watching a streaming TV series in fullscreen upset something in the lowlevel graphics engine on my late 2011 i7 MBP 13" (fortunately I could still log in via ssh to do it properly). Not the 1st time that happened, either ... but off-topic here.

Flash is a dog on Apple machines, QuickTime is a dog on Windows machines. I can't think of any real use for it, as VLC and the QT Alternative codec both play the embedded MOV files if you can be bothered to scrape them.

VLC is just pure win. Over the years, they just get better, and better.

Hell no, I'm not paranoid. But both AV softwares, NoScript and Time Machine are free and unobtrusive. And Little Snitch comes with a great pedigree and is SO cool and cheap. So why not?Happily using Macs virus-free since 1992 when I needed xTerm to transfer files ad hoc LOL.

So the terminal commands checked both Safari and Firefox, but not Chrome. Why is that?

The security industry has known for years Apple’s claims to attack immunity is a fairy tale. The fact that Mac sales have been increasing while those of PC manufactures have only been steady tells me this is the beginning of attacks against Mac devices. I’ve written a blog post with my take on Apple’s new pro-anti-virus stance – and why defensive tactics like AV won’t work – here: http://blog.coresecurity.com/2012/04/05 ... -to-hacks/

And many of us know that “Apple's claims to attack immunity” is ALSO a fairy tale.

Recent PR pages at Apple.Com tout how the OS “helps” keep you secure with “virtually no effort on your part” (implicitly referring to the frequent “are you sure?” popups that plagued other efforts to combat malware).

The ad wherein “Mac” told the sneezing “PC” that Macs didn't get “PC's viruses” ran over 5 years ago and Apple has constantly upped its security game since (when it had essentially very little other than a good track record). Of course, XP was the Windows du jour and it's likely that XP was the vehicle for more malware infections than all other OS's combined (so the claims of relative security were overwhelmingly correct).

So beliefs that Apple has been pushing “immunity” is based on an extremely selective memory — recalling the gall of Apple being able to make such an insultingly strong claim, but ignoring the more reasoned and thoughtful efforts since then.

"Because Flashback shows the universally unique identifier of each bot, he said they're confident they didn't count the same one multiple times, although they couldn't rule out the possibility that some of the machines were running FreeBSD, Linux, Windows, or other operating systems."

"Because Flashback shows the universally unique identifier of each bot, he said they're confident they didn't count the same one multiple times, although they couldn't rule out the possibility that some of the machines were running FreeBSD, Linux, Windows, or other operating systems."

"Because Flashback shows the universally unique identifier of each bot, he said they're confident they didn't count the same one multiple times, although they couldn't rule out the possibility that some of the machines were running FreeBSD, Linux, Windows, or other operating systems."

"Because Flashback shows the universally unique identifier of each bot, he said they're confident they didn't count the same one multiple times, although they couldn't rule out the possibility that some of the machines were running FreeBSD, Linux, Windows, or other operating systems."

"Because Flashback shows the universally unique identifier of each bot, he said they're confident they didn't count the same one multiple times, although they couldn't rule out the possibility that some of the machines were running FreeBSD, Linux, Windows, or other operating systems."

Yeah, I mean that's like 1800 machines. Insert "isn't that all of them?" joke here.

0.006 percent, or 0.0006 is 360, you were right the first time. I believe it is due to Java not being installed by default, and some have reported the flash exploit being successful in Windows. I must admit it pains me to see Java sinking to the level of malware vulnerability.

I know this is old, but the ignorance about Java is astounding. Java is a programming language. The Java Plugin is the vulnerability. I hate seeing articles written about Java being a vulnerability. I wish people could get it right.